The social network says that the passwords
were never exposed externally and that it found no abuse of the glitch.
Facebook has fixed a bug that caused that the
passwords of many of its users were stored in plain text and were visible for
the social network’s employees.
“As part of a routine security review in
January, we found that some user passwords were being stored in a readable
format within our internal data storage systems,” Pedro Canahuati, Facebook’s
Vice President for Engineering, Security, and Privacy, wrote in a statement on Thursday.
The flaw is estimated to have affected
passwords for “hundreds of millions of Facebook Lite users, tens of millions of
other Facebook users, and tens of thousands of Instagram users”.
Importantly, the social media giant said that
the passwords were never exposed to anyone outside the company and that it
detected no abuse of the bug.
Meanwhile, a report by security journalist Brian Krebs, released before
Facebook’s statement, sheds a little more light on the issue.
Citing a senior Facebook employee, Krebs
wrote that up to 600 million people may have been affected by the bug, which
left their passwords searchable by more than 20,000 Facebook employees. At
least some of the passwords were said to be stored insecurely – that is,
without being salted and hashed – as early as 2012.
“My Facebook insider said access logs showed
some 2,000 engineers or developers made approximately nine million internal
queries for data elements that contained plain text user passwords,” wrote
Krebs. He said that the issue saw Facebook engineers design internal
applications that inadvertently logged unencrypted passwords.
Facebook said in the statement that it will
notify all users affected by the bug, but won’t require them to change their
passwords.
In this context, Krebs quoted Facebook
software engineer Scott Renfro as saying that the company aims to force
password resets only “in cases where there’s definitely been signs of abuse”.
This, per Facebook, isn’t the case here.
Nevertheless, this may not be enough to dispel
your concerns, in which case you may want to change your password and turn on two-factor authentication for an extra layer of
security.